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Abstract 

Independence or simultaneous broadcast is a fundamental tool to achieve secu- 
rity in fault tolerant distributed computing. It allows n players to commit to 
independently chosen values. In this paper we present a constant round pro- 
tocol to perform this task. Previous solutions were all O(logra) rounds. In the 
process we develop a new and stronger formal definition from this problem. 

As an example of the importance of independence in distributed protocols, 
we show an attack on the Sako-Kilian election scheme presented at CRYPTO 
94 made possible by the protocol failure on achieving independence. Using our 
techniques we will show how to modify the scheme to make it secure. 

1 Introduction 

Independence is a fundamental tool to achieve security in fault tolerant distributed 
protocols. In this paper we present improved results based on a careful exploitation 
of the properties of non-interactive proofs [2]. In particular we will exhibit the first 
constant round protocol for the problem of simultaneous broadcast (previous solutions 
were O(logn) rounds where n is the number of processors in the system). In the 
process we will develop a new and stronger formal definition for this problem. Finally 
as a practical example of the importance of achieving independence in distributed 
protocol we show an attack to the Sako-Kilian election scheme [10] made possible by 
the protocol failure on achieving independence. Using our techniques we will show 
how to fix this problem and make Sako-Kilian scheme secure. 



1.1 Why independence? 

The problem of independence in distributed protocols has been put forward by Chor 
and Rabin in [3] and subsequently by Dolev, Dwork and Naor in [5]. 

Informally this means that we are looking for protocols in which two or more 
parties announce some values and we want to prevent any of them to correlate in any 
manner his/her own values to the values that the other parties have announced. To 
explain the concept of independence let us present some motivating scenarios first. 

Example 1 Contract bidding 1 : The city of Cambridge decides to sell an estate 
along the Charles River and invites potential inquirers to bid for the deal. The city 
publishes a public-key encryption scheme E for interested people to send their bid. 
Both Harvard University and MIT are interested in buying the estate. MIT places 
its bid by sending itim = -E(&m) over an insecure phone line. Harvard is tapping the 
line and overhears the MIT bid. In spite of the security of the encryption scheme E, 
now Harvard is able to at least tie the MIT bid, by sending over m# = niM- Even 
requiring Harvard to send a different cyphertext would not solve the problem since 
it could still be possible to produce a cyphertext m# ^ itim that decrypts to a lower 
bid. 

Example 2 Coin flipping : n players decide to flip together a common and random 
coin b. A way to do this would be for each player P 8 - to broadcast a bit b{ and then 
set b to be the XOR of all the broadcasted bits. This is clearly a bad idea since 
the last player that broadcasts his/her bit decides the value of the coin. Similarly 
having all the players commit to their bits by posting E(bi), where E is a encryption 
scheme and then having them decommit, does not solve the problem either since, as 
we saw in the previous example, encryption alone does not guarantee independence. 
For example it could be possible for the last player after seeing E(bi), . . . , E{b n -\) to 
broadcast m n such that at decommiting time 6 = 0. Worse a player could decide to 
not decommit his/her bit if he/she realizes that the outcome of the coin toss is not 
the desired one. 

Example 3 Electronic elections: In the future we may think of running elections on 
the network. A possible way of doing this would be to have a center collecting the 
votes sent to it in some encrypted form. However we need to make sure that casted 
votes are independent, i.e., that seeing the cyphertext of one voter does not influence 
the actions of another voter. 

The examples above show that encryption is necessary to this task, but not sufficient. 
The reason is that the definition of semantic security for cryptosystems [9] guarantees 
that given a cyphertext we cannot learn anything about the corresponding cleartext. 
However in distributed settings this is not enough: we want the cyphertext to be 
completely useless. As pointed out in [5] independence is clearly an extension of the 
concept of semantic security. 



^his example has been adapted from a similar one described in [5] 



1.2 Previous work 

Chor and Rabin in [3] put forward a first formal definition for the problem of simul- 
taneous broadcast: a protocol that allows n players to independently announce n bits. 
Their solution requires O(log n) rounds to complete. Clearly this protocol solves the 
coin flipping problem. 

Subsequently in a very nice paper Dolev, Dwork and Naor in a quite different set- 
ting addressed the problem of independence in encrypted communication and zero- 
knowledge proofs. They call their property non-malleability. They present non- 
malleable bit commitment schemes, encryption schemes and zero-knowledge interac- 
tions. In particular they solve the contract bidding problem. 

1.3 Our contribution 

In this paper, drawing from ideas of our predecessors, we improve on those previous 
results. More in detail: 

f. We describe a constant round protocol for simultaneous broadcast. In doing 
that we will heavily rely on the properties of non-interactive zero-knowledge 
proofs as introduced by Blum, De Santis, Micali and Persiano in [2]. 

2. We refine the definition of independence to a stronger one. In fact both in [3] and 
in [5] they define the independence property with respect to a polynomial-time 
bounded observer. That is no polynomial-time Turing machine that has access 
to a random sample of successful executions of the protocol is able to detect any 
correlation among the committed values of the players. In particular neither the 
players or the adversary are able to do so. Our definition instead, as we will see 
shortly, propose something that we would call statistical independence, i.e., we 
require that an observer of any computational power who is given a polynomial 
size random sample of successful executions of the protocol will not be able to 
detect any correlation among the values of the good players. A fortiori this will 
be valid for the players themselves and the adversary since we assume them to 
be polynomially bounded. 

3. We present an attack on the Sako-Kilian election scheme presented at CRYPTO 
94 [10]. The idea of using non-interactive proofs to reduce the rounds of com- 
munication in a protocol is not new. For example this is what Sako and Kilian 
do in their protocol. However one must be careful in the use of such a powerful 
tool. We will show that their protocol fails in achieving independence between 
casted votes. Using the techniques described in this paper we show how to 
modify their protocol in order to achieve this fundamental property. 



2 Non-interactive zero-knowledge proofs 

Before we dive into the description of our work, let us recall the notion of zero- 
knowledge proofs of knowledge without interaction. For details readers are referred 
to the original paper by Blum et al. [2] on non-interactive zero-knowledge proofs and 
the later one by De Santis and Persiano for the specific case of proofs of knowledge 
[4]. In this section we will also prove a technical lemma which will be useful to us 
later. 

In a non-interactive proof, prover P and verifier V share a common input x and 
a random string a . P runs on those input and produces a string tt and V runs on 
x, a } 7r for some polynomial time and either accept or rejects. We call a o tt the view 
of the protocol. 

A pair of Turing machines (P, V) constitutes a non-interactive zero-knowledge 
proof system (NIZKPS) for a language L if the following conditions are met 

Completeness for all x £ L and random strings <r, V(x } cr } tt) accepts with proba- 
bility 1. 

Soundness For all x (ji L } random strings a and false proofs tt' produced by any 
Turing machine P', V(x,a,7r') rejects with high probability (i.e., > 1 — 2 2 ' x ') 

Zero-knowledge There exists a probabilistic polynomial time Turing machine S 
called the simulator which on input x £ L produces a view of the protocol with 
a probability distribution indistinguishable from the true one. 

In [2] the authors describe a NIZKPS for the language SAT and so for all NP. In their 
protocol the Prover can be a polynomial time machine provided he knows a satisfying 
assignment for the formula. Protocols of this kind are called proofs of knowledge. In 
that case (see [4]) the soundness condition is changed to one requiring the Prover to 
know a witness of the theorem whenever he convinces the Verifier. By "knowing a 
witness" we mean as usual that there exists a knowledge extractor M which given 
access to P efficiently produces a witness. 

In order to use non-interactive proofs in a distributed computing setting we have 
to make sure that a faulty process really gains nothing from seeing someone else's 
proof. For example if Pj publishes Sj = E(b) o tt where tt is a NIZKP of knowledge of 
the bit 6, a faulty P 8 - could post s 8 - = Sj and pretend to have published (and to know) 
the same bit. In order to avoid that we are going to prove the following lemma: 

Lemma 1 Given a language L, and a NIZKPS (P, V) for L, n strings x-±, . . . , x n £ L, 
n + 1 random strings <Ti, . . . } cr n} p, and 7r 8 - = P(x 8 , cr 8 ) ; if an algorithm A on input 
Xi } o-i } TTi } p outputs a string y £ L and a tt such that V(y } p } ir) accepts with non- 
negligible probability, then A knows a witness for y £ L, i.e., there exists an algorithm 
M that given access to A outputs a witness for y £ L with non-negligible probability. 



What the lemma basically says is that if we change the random string then proofs 
relative to other random strings will be of no use to fabricate a new theorem and a 
"good proof" for it. The reason this is true relies on the simulatability of NIZKP. 

Sketch of Proof If algorithm A comes up with the theorem and the proof effi- 
ciently given access to proofs produced by P, she could do that herself by running 
the simulator instead. So we would have an efficient algorithm convincing the Veri- 
fier with non-negligible probability and according to the soundness condition, A must 
know a witness of the theorem. ■ 

The lemma does not apply in the "copying" situation, because in that case the faulty 
processor is choosing the reference string as well as the theorem (both equal to the 
ones of the good processor) instead of picking it at random. 

Notice that one of the consequences of this lemma is that access to the random 
string p before the choice of the theorem j/, does not help in proving false theorems. 
This fact was already mentioned in the original paper [2] and will be important later. 

2.1 The Fiat-Shamir heuristic 

The Fiat- Shamir heuristic is a less rigorous but more efficient way of building non- 
interactive proofs. The heuristic is based on a secure hash function. When the prover 
wants to create a non-interactive proof of a theorem he just run the usual interactive 
protocol by himself. To do that honestly, he computes the challenges of the Verifier at 
each round by applying the hash function to his messages so far. This way he obtains 
random-looking bits and still the Verifier can check the process has been performed 
correctly. There is no proof that this method performs correctly, but in practice no 
attacks are known. 

However also in this case we need some way to insure faulty processes cannot 
correlate their proofs to good processes ones. As before the idea is to make sure the 
random challenges are different, and the idea would be to "personalize" the messages 
that each party sends to the other one. 

3 Simultaneous Broadcast 

What exactly is independence? If we go back to the contract bidding example we 
notice that Harvard actions are not independent from MIT's ones because Harvard is 
acting based on MIT's messages. 

In simultaneous broadcast we would like to have each player to behave as if the 
other players were not there or, in better words, regardless of what other players 
do during the protocol. If we model each player as a probabilistic Turing machines, 
then the value they announce is a function of their input and internal coin tosses 
and eventually of the announced values of the other ones. The key point in defining 
independence is to avoid this functional dependence by imposing that, say, P 8 - commits 



to a certain value with the same probability no matter what Pj has committed to. In 
this section we will try to cast this intuition in a formal definition. 

In the following we will refer to a quantity as negligible if it can be made smaller 
than the inverse of any polynomial in a security parameter that we assume is given 
as common input to all the players. 

A n-party protocol is a n-tuple of probabilistic polynomial-time interactive Turing 
machines (that we will call players in the following) (Pi, . . . , P n ). In our model these 
processors are connected by one-to-one communication channels and each processor 
has a dedicated broadcast channel. Channels are public i.e. any player can overhear 
the messages sent on any channel. We assume that there is an adversary A that 
decides dynamically which players corrupt and that coordinates the actions of the 
corrupted players. In our model the adversary is computationally bounded: indeed 
she can corrupt at most a fixed fraction of the processors and perform only polynomial 
time computations. The adversary is allowed rushing i.e. messages sent at round i by 
faulty processors may depend on messages sent at round i by the honest processors. 
With t we denote the fault-tolerance of the protocol, that is the number of players 
the adversary can corrupt. 

Let's suppose without loss of generality that the value to be announced is a bit 
b G {0,1}. Simultaneous broadcast is a protocol composed by two parts (Commit, 
Reveal) that satisfy the following requirements. 

Requirement 1: Honest commitment 

At the end of Commit for each player P 8 - there is a fixed value h{ G {0, 1,*} assigned 
to him. In other words there exist a computationally unbounded Turing machine 
that given as input a transcript of the protocol, outputs &i, . . . , b n . If Pi follows the 
protocol then h{ G {0, 1}. We will say that P 8 - committed to b{ 

Given the previous requirement the following quantities are well defined: VP; Vr G 
{(M,*}"" 1 V6,-G{0,1} 

p b l r = Prob[Pi commits to h{ given that the other players are committing to r] 

When we say "given that the other players are committing to r" we mean that if r 3 
is the j-entry of the vector r then 

• if j < i then Pj is committing to r 3 

• if j > i then Pj+i is committing to r 3 

We can now define the independence property as the second requirement that we ask 
from our protocol 

Requirement 2: Independence 

VPj, . . . , P' n probabilistic polynomial time Turing machines, Vz if P[ is good through- 
out the protocol then V6 8 - G {0, 1}, Vr, s G {0, 1,*} n_1 the following quantity 

I P[ P[ | 

\Pb,,r Pb,,s\ 



is negligible. 

This formalization guarantees statistical independence of the committed values. This 
is where our definition differs from the ones presented previously. In fact the defi- 
nitions in [3, 5] require the values bi and r to appear independent to a probabilistic 
polynomial time judge. If we assume the players to be computationally bounded this 
is enough to guarantee the independence of their actions. 

We insist on statistical independence because (I) it is conceptually simpler, (2) it 
is a stronger requirement meaning that not only the players or the adversary, but also 
no way observer, no matter what her computational power might be, will be able to 
detect correlations, (3) it is not harder to achieve then "computational" independence. 

Notice that we require independence only for the good players. Indeed since the 
adversary coordinates the actions of the corrupted players we cannot rule out the 
possibility of the values of bad players to be in some way related to each other. But 
with this definition we are sure at least that the value of a good player is independent 
with respect to those of all the other players, honest or corrupted. 

Requirement 3: Recovery 

At the end of the protocol each good processor Pi outputs an n bit vector Bi = 

(i? 8j i, . . . , Bi tTl ) such that 

• if Pi and Pj are good processors then Bi = Bj 

• the event that 3k such that Bi^ ^ bk happens with negligible probability 

This requirement simply says that even if a player stops the protocol after having 
committed to a bit, it is still possible for the good players to recover his/her value 
with very high probability. 

3.1 Previous solutions 

As noted in the examples provided above, the main problem in achieving indepen- 
dence is that some parties may commit to a value without knowing it, but being 
sure that it is correlated to someone else's value. As pointed out in [3] and [5] the 
problem is eliminated by requiring each party to provide a zero-knowledge proof of 
knowledge of the committed bit. A simple solution would then be to have each player 
commit to his/her bit in a given order and then prove in zero-knowledge that he/she 
knows the value he/she has committed to. This solution however is very expensive 
in terms of round complexity since it requires 2n rounds of computation. Indeed 
to avoid correlation each proof must be conducted separately from the others and 
not concurrently. Suppose in fact that a faulty Pi and a correct Pj are concurrently 
providing zero-knowledge proofs, then when queried Pi could use Pj as an oracle to 
answer his queries. 

Chor-Rabin in [3] solve this problem by a clever way of scheduling the zero- 
knowledge proofs. In their protocol each player Pi broadcast his encryption scheme 
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Ei and the encrypted value Eiihi). Then each player proves in zero-knowledge that 
he knows hi. To avoid correlation between the proofs this will be done O(log n) times 
in a way that for every pair of processors Pi } P 3 there is a phase in which P 8 - acts 
as a prover and Pj only as a verifier. Moreover to allow recovery of the values they 
add a Verifiable Secret Sharing (VSS) of the value hi. At the end this results in a 
(9(log n) rounds protocol. The cryptographic assumption needed for the protocol is 
the existence of one-way functions. 

3.2 Our constant rounds solution 

Our solution to the simultaneous broadcast problem will be based on Chor-Rabin 
protocol. Each processor will broadcast his value encrypted and then a NIZK proof 
of knowledge of the value broadcasted. In doing this we will make sure that each 
player references to a different and independently chosen random string to prove his 
statement. Because of Lemma I this will eliminate the risk of correlation. Then each 
player will share his value among all other player using the VSS protocol from [8]. 
The total number of rounds will be constant. To be able to use NIZK proofs we must 
assume the existence of trapdoor permutations (see [6]). 

We assume that the players share a random string a nk bits long where k is the 
length needed from the reference string in order to do a NIZKP in our protocol. When 
Pi wants to produce a NIZKP (and as we will see he has to do that only once during 
the protocol) he will refer to the string <7 8 - = a[(i — l)k + I . . . ik]. We will show later 
how to eliminate this common randomness assumption. 

In the following description of the protocol, let t = ^ be the allowed fault tolerance. 

Protocol 1 

1. Each process P 8 - publishes his own public key encryption scheme Ei. Ei is 
actually a probabilistic encryption scheme as in [9] 

2. Each process Pi publishes a string s 8 - = £ , 8 (6 8 , r 8 ) o 7r 8 - where 

• hi is the value Pi wants to announce 

• V{ are the random number used for the probabilistic encryption 

• TTi is a NIZK proof that Pi knows hi relative to the random string <7 8 - 

3. Each process checks on what Pi broadcasted, i.e. runs a verification procedure 
on the string s 8 -, and if the proof fails broadcasts a disqualification vote for P 8 -. 
If t + I such votes are casted Pi is disqualified and his value is assumed to be * 

4. Each non-disqualified process Pi shares his value hi among all players using the 
VSS protocol of [8]. I.e., Pi chooses a random polynomial Ri(x) of degree t, 
such that P(0) = hi. Pi sends to player Pj the value Ri(j) encrypted with Pj's 
public key. Then he proves in zero-knowledge that the shared value is identical 
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to the one announced in round 1. This proof can be conducted interactively or 
to save rounds non-interactively as well. 

5. Again each process checks on the VSS proof P 8 - performed during the previous 
round and if the proof fails, broadcasts a disqualification vote for P 8 -. If t + f 
such votes are casted P 8 - is disqualified and his value is assumed to be * 

6. Each process P 8 - broadcasts the values h{ and r 8 -. If these values match the 
encryption broadcasted in round I all players accept h{ as P 8 's announced value. 
Otherwise (or if P 8 - does not broadcast anything) the players run the recover 
phase of the VSS protocol and compute h{ on their own. 

End of Protocol 1 

The proof of the correctness and security of this protocol is quite simple. Intuitively 
the reasoning is as follows. Because of lemma I at the end of round 3 every player 
who has not been disqualified must know the bit he is committed to. This is the bit 
the player must share and eventually broadcast at the end. If a bad player manages to 
correlate his bit to the one of good player P 8 -, then, since he knows from the beginning 
the value of the bit, one can show that the encryption scheme Ei is not secure. 

Theorem 1 Protocol 1 is a constant round simultaneous broadcast protocol. 

Sketch of Proof The honest commitment and recovery requirements are easily 
seen to be met by the protocol. The main point is the independence requirement. 
We proceed by contradiction. Suppose that there exist an adversary A who is able 
to correlate i.e. 3 a good player P 8 - and 3r, s £ {0, 1,*} n_1 such that w.l.o.g. 

P, p, ■ l 



I t j l r, I , 

\Po,r ~ Po,s\ > , , 

q(n) 

where q is a polynomial. 

By an usual hybrid argument we can prove that 3t, u £ {0, I*} n_1 such that 
w.l.o.g. 

ti = Uiii ^ j and tj = and Uj = I 



and 

Po't ~ Polu > 



P, p, l 



p(n) 

with p(n) polynomial 

At this point we can construct an inverter I that is an efficient algorithm that 
breaks the encryption scheme Ei of player P 8 - using A as an oracle. On input P 8 (6 8 ), 
I runs a simulation of the first three rounds of the protocol. He plays the role of 
Pi on the network of players, using the advises of A to corrupt players. Under the 
condition that A does not corrupt P 8 - (this event must happen with non-negligible 
probability) we know that the bit of Pj is equal to the one of P 8 - with probability 
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sensibly bigger than |. Running the knowledge extractor will return b{ with non- 
negligible probability. ■ 

A possible source of worry in this protocol is the fact that the random string <7 8 - 
is easily accessible to P 8 - before the beginning. But as we noticed in the previous 
section this will not help P 8 - in manufacturing a false proof. A way of eliminating the 
common randomness assumption would be to give to each player a string r 8 - = Tn o t 8 - 2 
describing his identity (we can think of it as full name, date of birth, social security 
number etc.) known to everybody. Then assume the existence of a pseudo-random 
function generator like the one in [7]. Then <7 8 - = / T8l ( T «'2)- 

Remark: We do not need to generate a new string <7 8 - for each time we perform the 
protocol. Indeed using results in [2, 6] it is known that multiple theorems can be 
proven using the same random string. 

4 Election Protocols 

At CRYPTO 94 Sako and Kilian presented a new voting scheme based on partially 
compatible homomorphisms [10]. Their scheme is based on a previous protocol of 
Benaloh and Yung [1]. Their improvements on the previous scheme are twofold: 

• they use a more general family of homomorphic encryption functions based on 
a discrete-log like problem. 

• they incorporate more modern techniques (which were not available at the time 
of the original paper of Benaloh and Yung) to improve the overall efficiency of 
the protocol. 

In particular they make extended use of the Fiat- Shamir heuristic for removing inter- 
action from proofs of knowledge and so improve substantially on the round complexity 
of the protocol. 

In this section we will show that the scheme described in [10] fails on achieving 
independence between votes casted by different players. The problem lies on a wrong 
application of the Fiat-Shamir scheme that brings consequences similar to the ones 
described in Section 2.1. Using the techniques described in this paper we will also 
present various ways to hx these problems. 

4.1 Sako-Kilian protocol 

Let us summarize the Sako-Kilian protocol in its most important aspects. The proto- 
col is based on a pair of partially compatible homomorphic encryption functions, i.e., 
a pair of functions {£i, E 2 } over Z q (with q prime) such that: 

• Ei(x + y) = Ei(x)Ei(y) 
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• the two distributions : 

1. (Ei(x),Ej(y)) with x and y chosen uniformly 

2. (Ei(x),Ej(x)) with x chosen uniformly 

are computationally indistinguishable 

Suppose there are two centers Ci,C2 counting votes. Let k\ } k 2 be their public keys 
respectively for a fixed public-key encryption scheme E (which needs not to be an 
homomorphism). The protocol goes as following: 

Vote casting Voter P 8 - chooses his vote Vi, 1 for a "y es " vote, — f for a "no" vote. He 
then chooses randomly x 8j i, x 8j2 such that V{ = Xi^-\-Xi^ 2 . He posts j/ 8j i = Ei(xi t i) 
and yi t 2 = E 2 (xi j2 ) and proves in zero-knowledge that x 8j i + x 8j2 = f or — f . We 
will describe this proof later. Then voter P 8 - posts E(kj,Xij). 

Vote counting Center Cj decrypts x 8J and checks that it agrees with j/ 8J . Center 
Cj sums up all the x 8J to obtain tj and posts t r Each voter checks that 
Ej(tj) = Ilj-j/ij. Finally set T = t\ + t 2 . T is equal to the difference between 
"yes" and "no" votes. 

The zero-knowledge protocol to check the correctness of the proof can be found in 
the original paper [10]. It is a straightforward commit-challenge-reveal protocol. To 
eliminate interaction the Fiat-Shamir heuristic is used. The protocol is run in parallel 
say 60 times (to achieve a probability of error < 2~ 60 ) and the 60 bits of the verifier's 
challenge are obtained by applying a random-looking hash function to the prover's 
first messages (this is what Sako and Kilian suggest in their paper, we will see shortly 
how this is the cause of serious problems). Assuming that the hash function behaves 
as a random oracle then we can prove that the probability of cheating for the prover 
is < 2~ 60 . One of the main advantages of this approach is universal verifiability i.e., 
everybody can check the correctness of P 8 -'s vote and of the entire election protocol. 
With these improvements voter P 8 - must post just a single string s 8 - to cast his 
vote. Si will be of the following form : 

Si = Et(x hl ) o E 2 (x h2 ) o 7r 8 o E(k 1} x hl ) o E(k 2} x h2 ) 

where 7r 8 - is the non-interactive proof that the vote is correct. For ease of notation let 
us define 

a; = Et(x hl ) o E 2 (x h2 ) o E(k 1} x hl ) o E(k 2} x h2 ) 

i.e., Si minus the proof 7r 8 -. 

Suppose now voter Pj wants to copy P 8 's vote. The only thing he has to do is 
to post the same exact message as P 8 - did. So Pj waits for P 8 - to cast his vote s 8 - and 
then posts Sj = S{. To require every single voter to post a different string s is not 
satisfactory for two reasons: 
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1. it introduces interaction between the centers and the voters 

2. it requires some extra assumption on the encryption functions E\ and E 2 stating 
that given a string s it is infeasible to produce a string s' that cast the same 
vote 

4.2 How to fix this problem 

A hrst solution would be to construct differently the string 7r 8 -, that is the non- 
interactive proof that P 8 's vote is correct. Instead of using the Fiat-Shamir heuristic 
we could directly use non-interactive zero-knowledge proofs. To do this we need shared 
randomness, i.e. we need to associate each voter with a publicly known random string 
G{. Alternatively we could use an identity string r 8 - to generate a pseudo-random string 
G{ as described in the previous section. Then 7r 8 - will be a NIZKP relative to the string 
G{. As we remarked before, advance knowledge of the string <7 8 - will not help P 8 - in 
fabricating a false proof. Such proof could be constructed by reducing the problem to 
a SAT formula and then using Blum et al. protocol. All these computations can be 
performed off-line, so the relative inefficiency of this method does not really constitute 
a serious problem. 

A second, probably more efficient, solution can be obtained by modifying the 
implementation of the Fiat-Shamir heuristic in the following way. After running in 
parallel 60 copies of the hrst round of the interactive proof that the vote is a correct 
one, compute the challenges of the verifier as /j(a,- o r 8 ) where r 8 - is the identity string 
of P. 2 

The hrst solution has the advantage of being provably secure and not an heuristic 
that holds conditioned to the "goodness" of the hash function. 

5 Conclusion 

We have put forward a new and stronger formal definition for the problem of inde- 
pendence in distributed computation. A new constant round protocol for the task 
of simultaneous broadcast has been presented. Previous solutions were all O(log n) 
rounds. Moreover as a practical application of this problem we have presented some 
critical remarks on the security of the Sako-Kilian voting scheme. The remarks stem 
from the failure of that protocol in achieving independence between casted votes. In 
the spirit of our results we have finally proposed some simple modifications to the 
Sako-Kilian protocol which greatly enhance its security. 



2 After being notified by the author of this paper of the problem with their scheme, Sako and 
Kilian independently found a similar fix to this one 
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